版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
1、importance of it controls to sarbanes-oxley 1the importance of it controls to sarbanes-oxley compliance. 2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 2 provide a high-level overview of sarbanes-oxley and the internal control certification requirements discuss the importance
2、of information technology in internal control over financial reporting describe how the sarbanes-oxley section 404 rules impact information technology provide an overview of the cobit it control framework provide an example of a readiness program roadmap summarize the importance and impact of it con
3、trols to sarbanes-oxley compliancetodays objectives 2003 firm name/legal entityimportance of it controls to sarbanes-oxley 3setting the stage2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 4setting the stage what is internal control? internal control is broadly defined as a pro
4、cess, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws
5、 and regulations internal control is now the law the sarbanes-oxley act of 2002 was created to restore investor confidence in the public markets section 404 of the act requires management to establish and maintain internal control and requires the independent auditors to evaluate compliance deadline
6、: year-ends on or after november 15, 2004 preparing for sarbanes-oxley compliance is a significant and challenging task there are many requirements, including the identification of significant financial statement accounts, processes and systems that support them and then documenting and testing them
7、 2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 5overview of internal control certification requirementssection 302 certification overviewceo and cfo to make specific certifications as of the end of each quarterly and annual reporting period, including: report contains no untr
8、ue statements report is fairly presented in all material respects responsibility for design and maintenance of disclosure controls and procedures as well as internal controls over financial reporting became effective in 2002 (amended in june 2003)section 404 certification overviewceo and cfo to cert
9、ify as of the end of every annual reporting period: their responsibility for establishing and maintaining effective internal controls over financial reporting their assessment of internal controls, accompanied by the independent auditors attestation report effective for annual periods ending after n
10、ovember 15, 2004 (small business and foreign filers july15, 2005).2003 firm name/legal entityimportance of it controls to sarbanes-oxley 6understanding the rules impact to it2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 7understanding the rules impact to it management is requ
11、ired to assess the design and effectiveness of its internal control over financial reporting and provide an assertion to that effect in the published financial statements. the companys external auditors are required to express an opinion on managements assessment as well their own opinion on the com
12、panys internal controls. auditor must perform a walkthrough of major classes of transactions for significant processes to understand process flows, and assess the design and effectiveness of controls including application and it general controls. evaluate the design effectiveness of it controls to d
13、etermine whether they are properly designed to achieve relevant assertions. perform tests of the operating effectiveness of it controls that are necessary to achieve relevant assertions.key compliance requirementsimpact to it controls2004 deloitte & touche llpimportance of it controls to sarbanes-ox
14、ley 8(paragraph 47)“the auditor should obtain an understanding of the design of specific controls by applying procedures that include tracing transactions through the information system relevant to financial reporting”(paragraph 73)“most processes involve a series of tasks such as capturing input da
15、ta, sorting and merging data, making calculations, updating transactions and master files, generating transactions, and summarizing and displaying or reporting data. the processing procedures relevant for the auditor to understand the flow of transactions generally are those activities required to i
16、nitiate, authorize, record, process and report transactions.” the pcaob rules are clear - auditors must understand how transactions flow through the system not around itunderstanding the rules impact to it contd2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 9(paragraph 69)“the
17、 auditor should identify each significant process over each major class of transactions affecting significant accounts or groups of accounts and understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported. identify the points within th
18、e process at which a misstatement including a misstatement due to fraud related to each relevant financial statement assertion could arise. identify the controls that management has implemented to address these potential misstatements. identify the controls that management has implemented over the p
19、revention or timely detection of unauthorized acquisition, use, or disposition of the companys assets. pcaob statements applicable to application controls:understanding the rules impact to it contd2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 10(paragraph 40)“determining whic
20、h controls should be tested generally, such controls include information technology general controls, on which other controls are dependent”(paragraph 50)“some controls have a pervasive effect on the achievement of many objectives for example, information technology general controls over program dev
21、elopment, program changes, computer operations, and access to programs and data” pcaob statements applicable to it general controls:understanding the rules impact to it contd2003 firm name/legal entityimportance of it controls to sarbanes-oxley 11the importance of information technology in internal
22、control over financial reporting 2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 12 for most organizations, it is pervasive and critical to the financial reporting process financial and routine business applications are commonly used to initiate, authorize, record, process and
23、report transactions relevant it controls include application controls - those that are embedded in financial and business applications general computer controls underlying infrastructure components that support the applications statements made by the public company accounting and oversight board (pc
24、aob) on the impact of it (paragraph 75):“the nature and characteristics of a companys use of information technology in its information system affect the companys internal control over financial reporting”the importance of information technology (it) in internal control over financial reporting2004 d
25、eloitte & touche llpimportance of it controls to sarbanes-oxley 13application controls soddata integritycompletenessvalidationgeneral computing controlsinformation securityoperationsdatabase impl. & supportnetwork supportbusiness processclasses of transactions salesreturnswrite offssignificant accou
26、nt balance balance sheet (ar)incomestatementg/linventoryotherar mgt processfcrpsales processprocess stagesinitiaterecordprocessreport application impl. & maint.system software supportthe role of information technology in internal control over financial reporting contd2004 deloitte & touche llpimport
27、ance of it controls to sarbanes-oxley 14 account balance: trade ar, sales classes of transactions: invoices, sales orders business process: ar, sales order processes process stages: initiate, record, process application controls: access controls built in limits for credit approval restricted access
28、to pricing table gcc controls: program change operations network & system securitylink accounts and assertions to it: an example customerorder entry accounts receivable invoice controls sap, oracle, other applicationsgeneral computing controls cover security access, change management, operations, sy
29、stems and network support, data retention, etc.order processingorder & supplier controlssalessub-processcustomer controlsit infrastructurenetworkssystem softwaredatabases and informationsecurityapplication controls cover authorized changes, segregation of duties, validity, completeness and timelines
30、s of reporting of financial information.2003 firm name/legal entityimportance of it controls to sarbanes-oxley 15cobit it control framework overview2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 16cobit a model for general computer controls the it governance institute (www.itg
31、i.org) has recently published “revised” guidance for it professionals on how to address sarbanes-oxley from an it perspective april 2004 “sarbanes-oxley; the importance of information technology in the design, implementation and sustainability of internal control” the publication is the result of a
32、joint effort of industry and auditors, with leadership from deloitte and others the itgi is a recognized global leader in it governance, control and assurance with members in more than 100 countries2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 17 pcaob designates coso as the
33、prescribed standard control framework and has become the control framework of choice for sox compliance all 5 layers must be considered when evaluating internal control however, coso does not provide specific guidance around it control. cobit is a widely accepted it control framework (itgi) cobit pr
34、ovides 4 domains of it control cobit controls address the 5 layers of coso with the development of this approach, organizations can be confident that they are taking an approach that reflects coso requirementscontrol environmentrisk assessmentcontrol activitiesinformation and communicationmonitoring
35、coso componentscobit objectivesplanning and organizationplanning and organizationsection 302section 302delivery and supportdelivery and supportmonitoringmonitoringacquisition and implementationacquisition and implementationsection 404section 404information technology controls should consider the ove
36、rall governance framework to support the quality and integrity of informationcompetency in all 5 layers of cosos framework are necessary to achieve an integrated control programcontrols in information technology are relevant to both financial reporting and disclosure requirements of sarbanes-oxleyco
37、bit a model for general computer controls contd2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 18 the itgi publication provides guidance to it professionals on how to meet the sarbanes-oxley challenge detailed control objectives are provided for each cobit domain and mapped to
38、their respective coso component other control guidelines were reviewed and reconciled to this approach during the development process, including iso17799, common criteria, itil, and systrust organizations should assess their requirements on an individual basis and tailor their approach accordingly c
39、oso component cobit control objectives control environment risk assessment control activities information & communication monitoring planning & organization define a strategic it plan define the information architecture determine technological direction define the it organization and relationships m
40、anage the it investment communicate management aims and direction manage human resources ensure compliance with external requirements assess risks manage projects manage quality acquisition & implementation identify automated solutions acquire and maintain application software acquire and maintain t
41、echnology infrastructure develop and maintain procedures install and accredit systems manage changes delivery & support define and manage service levels manage third-party services manage performance and capacity ensure continuous service ensure systems security identify and allocate costs educate a
42、nd train users assist and advise customers manage the configuration manage problems and incidents manage data manage facilities manage operations monitoring monitor the processes assess internal control adequacy obtain independent assurance provide for independent audit coso componentscobit objectiv
43、escobit a model for general computer controls contd2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 19 the cobit soa framework identified a sub-set of these areas for the purpose of focusing on soa requirements company level: planning & organizing / monitoring cobit a model for
44、general computer controls contdplanning & organization it strategic planning it organization and relationships management of human resources educate and train users information architecture communication of mgmt aims and direction assessment of risks manage the it investment manage projectsmonitorin
45、g compliance with external requirements management of quality ensure continuous service performance and capacity monitoring adequacy of internal controls independent assurance internal audit activity level: acquisition and implementation / delivery and support program development (sdlc) program chan
46、ges computer operations (scheduling, backup, problem management) access to programs and data (applications, database, operating system, network)2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 20top 5 list 404 it controls requirementssecurity application and platform based focus
47、ed on applications that may impact financials and supporting infrastructure requires secure operating systems, database, network, firewalls and infrastructure auditors will look for excessive access; lack of segregation of duties; inadequate approval of access; they will be testing key processes to
48、determine that they are effectivechange control need to ensure that procedures are in place to control and ensure proper approval of changes to production technical controls must tightly limit and control developer access to productiondisaster recovery focus will be on basic backup and recoverabilit
49、y of financial datait governance focus will be on determining of there are clear policies, procedures, and communications within it are there clear segregation of duties? is there the appropriate “tone at the top” of the it organization?development and implementation activities proper controls need
50、to be built in before a new system or system changes go in the production environment auditors may evaluate new financial systems; data conversion and testing are critical2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 21most common it control gaps to remediatechange control pr
51、ocesses not fully in place (especially in distributed or web based environments) security procedures, strategies, and profile structures not documented for critical applications. organizational security policies, procedures, and roles and responsibility gaps. security administration procedures lack
52、appropriate controls or consistency inadequate controls to delete or change access when individual leaves of changes job responsibilities (especially contractors) inadequate approval of access changes access levels not regularly reviewed and approved by managementexcessive access to systems privileg
53、ed access to operating system, database, and application environment inadequate segregation of duties application developers and dbas have access to production infrastructure supporting applications is not secure (network, operating system, database) it controls not integrated into key business proc
54、esses (e.g. sdlc, change control, compliance, testing and data conversion procedures) lack of a regular process to verify that controls continue to be adequate and effective (at least quarterly)no long term strategy to evaluate and address risksthe areas that will get hit hardest are security and ch
55、ange control2003 firm name/legal entityimportance of it controls to sarbanes-oxley 22it control readiness roadmap2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 23soa readiness roadmap preparing for sox 404 requires a structured and measured approach, otherwise you will find yo
56、urself doing “too much” or “too little” the current pcaob rules require auditors to attest on “management assessment process” as such, the readiness roadmap that many organizations are following demonstrates the assessment process through a series of steps and activities that align to the pcaob rule
57、s2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 24soa readiness roadmapbusiness valuesarbanes-oxley it compliance1. plan & scopefinancial reporting processsupporting systems3. identify significant controlsapplication controls - over initiating, recording, processing & reportin
58、git general controls5. evaluate control designmitigates control risk to an acceptable levelunderstood by users8. document process & resultscoordination with auditorsinternal sign-off (302, 404)independent sign-off (404) 7. identify & remediate deficienciessignificant deficienciesmaterial weaknessrem
59、ediation6. evaluate operational effectivenessinternal audittechnical testingself assessmentinquiry +all locations and controls (annual)4. document controls policy manualsproceduresnarrativesflowchartsconfigurationsassessment questionnaires2. perform risk assessmentprobability & impact to businesssiz
60、e / complexity9. build sustainabilityinternal evaluationexternal evaluation2004 deloitte & touche llpimportance of it controls to sarbanes-oxley 25a readiness roadmapplan & scopekey considerations in-scope vs out-of-scope systems opportunities for improvement prevention, identification and detection
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 河北省秦皇岛市马圈子中学高二数学文期末试题含解析
- 语文本体性教学心得体会4篇
- 维修工转正申请书6篇
- 北京顺义区高丽营第二中学高一数学理期末试卷含解析
- 简单个人借款合同3篇
- 有关教学年终工作总结3篇
- 由于个人的原因辞职报告7篇
- 特教老师工作总结3篇
- 辽宁省大连市普兰店第七高级中学高三数学理上学期期末试卷含解析
- 汽车电气系统检修(第2版)课件 项目1 汽车电气基础知识
- 第7课《珍视亲情+学会感恩》第1框《浓浓亲情+相伴一生》【中职专用】《心理健康与职业生涯》(高教版2023基础模块)
- 新能源汽车项目招商引资方案
- 局部通风机停电停风应急救援预案及措施5篇汇编
- 视瞻昏渺护理课件
- 单桩水平承载力计算
- 2024届山东济南市历下区重点中学中考二模生物试题含解析
- 实验室体系培训考试试题
- BIM考试判断练习试题附答案
- 阳光分级阅读 Sloppy Tiger and the Party 课件
- 物流营销(第四版) 课件 第六章 物流营销策略制定
- 出海角色扮演类游戏文本特点及翻译策略
评论
0/150
提交评论